You are currently viewing Act Now: Cisco FMC RADIUS Flaw Allows Unauthenticated Remote Code Execution

Act Now: Cisco FMC RADIUS Flaw Allows Unauthenticated Remote Code Execution

Cisco has recently addressed a critical security vulnerability, CVE-2025-20265, in its Secure Firewall Management Center (FMC) Software. With a maximum CVSS score of 10.0, this flaw poses a significant risk, potentially allowing unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. This blog post delves into the details of this vulnerability, its impact, and the necessary steps to mitigate it.

Vulnerability Details

The vulnerability resides within Cisco Secure FMC’s RADIUS subsystem, stemming from inadequate sanitization of user-supplied input during authentication. Specifically, when the system is configured to use RADIUS for web or SSH access, an attacker can submit maliciously crafted credentials. These inputs are passed to the RADIUS server for authentication without proper validation. If exploited, this flaw grants the attacker the ability to execute commands with elevated privileges.

Affected Products

The vulnerability impacts the following products and versions:

  • Cisco Secure FMC Software versions 7.0.7 (with RADIUS authentication enabled)
  • Cisco Secure FMC Software versions 7.7.0 (with RADIUS authentication enabled)

Impact & Exploit Potential

The impact of this vulnerability is severe. An attacker who successfully exploits CVE-2025-20265 could gain complete control over the affected firewall management system. This access could be leveraged to modify security policies, access sensitive network configurations, and launch further attacks within the compromised network. The CVE-2025-20265 vulnerability has a CVSS score of 10.0, highlighting its critical severity.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit this vulnerability using the following tactics, techniques, and procedures:

  • TA0001 – Initial Access: Exploiting a public-facing application to gain initial entry into the network.
  • TA0002 – Execution: Executing arbitrary commands on the system.
  • TA0004 – Privilege Escalation: Elevating privileges to gain higher-level access.
  • T1190 – Exploit Public-Facing Application: Taking advantage of vulnerabilities in public-facing applications.
  • T1203 – Exploitation for Client Execution: Tricking a user into executing malicious code.

Mitigation & Recommendations

To address this critical vulnerability, Cisco has released free software updates. It is imperative that organizations using affected versions of Cisco Secure FMC Software prioritize updating their systems immediately.

As a temporary measure, consider disabling RADIUS authentication and switching to alternative authentication methods such as:

  • Local user accounts
  • External LDAP authentication
  • SAML single sign-on (SSO)

It is important to evaluate the impact of these changes on your specific network environment before implementation.

Real-World Observations

As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any active exploitation of this vulnerability in the wild. However, given the severity and ease of exploitation, it is critical to apply the necessary patches and mitigations as soon as possible. The vulnerability was discovered during internal security testing by Brandon Sakai of Cisco, highlighting the importance of proactive security assessments.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.